Post on 13-Jan-2017
It's time to change the basics of Cyber Security
SW is an exact discipline,where is possible everything clearly describe, programme and test.
Content of presentation
Comparison IT with other industries
Security on railways
Aircraft safety
IT - long-term problem
Solving problems with Cyber Security
The difference between the IT and other fields
of human activity
Security on railways more than 130 years
Aircraft safety - cca 100 years
IT/ Cyber security - 20 years persistent problems
A quick view at IT and compared with other industries
The difference between the IT and other fields
of human activity
Also in other fields was solutions, which was gradually overcome.
Design and programing of computer programs
Creating SW and/or firmware is an exact discipline, which can be clearly defined, programmed and tested
SW Authors may not respect the physical and/ or chemical laws, as in other fields
Design and programing of computer programs
More than 20 years of problems with computer viruses and hacker attacks
The situation is getting worse because more use of smart phones, SCADA and IoT (Internet of Things)
The main obstacle to solving the problem of Cyber security
ICT "experts" say : There is no other solution
The current solution is only possible
You do not understand this problem
Always exist a solution, this is the foundation of progress
Security on railways
More than 130 years of experience
The security rules on railway traffic
Old mechanical signal device was ruled over wireWhen the wire is severed then the signal drop down, to "Stop"
Even at the time when was used steam locomotives were building and improvement fail-safe systems
The security rules on railway traffic
Traffic lights
When the bulb breaks up in the green light, then the light turns on yellow
When the bulb breaks up in the yellow light, then the light turns on red
When the bulb breaks up in the red light, then automatically turns on a red light at the previous signal device
The security rules on railway traffic
History and progress
Outdoor security equipment is improving from 1870 to the present. (invention Siemens und Halske)
Outdoor security equipment was and is proposed as a fail-safe
system. Thus, the fault must occur safer state. (red light on
traffic lights, the withdrawal of rail barriers, etc.)
!!! Computers of dispatchers using the normal OS !!!
Safety in the production and repair of aircraft
More than 100 year of experience and improvement
False screws and other parts
On September 8, 1989 crashed of a charter flight no. 394. The airplane Convair CV-580 company Partnair fallen off vertical tail surfaces
Used uncertified screws for fixing the vertical tail surfaces
Solutions - tightening of the purchase and registration of spare parts for aircraft
False screws and other parts
Revelations of fake and poor quality parts caused many changes in the tracking of parts from the manufacturer to the aircraftNorm EN9100 / ISO9120
The documentsFAA-2006-25877
FAA FAR 21.305
PMA ( Parts Manufacturer Approval)
Dreamliner 777 & battery
The new Boeing 777 Dreamliner had a problem with on-board batteries
In January '14 it was not allowed to operate these aircraft
Traffic was allowed again in April '14 after the elimination of problems with the on-board batteries
Cyber Security - long-term problem
Hidden applications
Operating systems were created without safety requirements
On the http://www.eeggs.com is a list of applications that programmers hid in operating systems or other programs
The contradiction between aircraft and IT
Is possible to smuggle out into the operating system strange "parts", malicious executable file (virus)
In the operating system is can surreptitiously modify or alter the original "parts", a program or library
In the IT area is no reliable evidence and/ or control as in aviation
The contradiction between aircraft and IT
Antivirus, antimalware can find only known viruses or suspicious
behavior
This solution is not enough !!
Proof : Stuxnet, Regin, DarkHotel, etc. and many other viruses every day
The causes of problems in the IT environment
PR and business were and is stronger than voice of technicians
Still exist blind trust to freedom of use PC and Internet
Users' wishes were more important than the quality and order
The causes of problems in the IT environment
Antivirus looking for known problems (virus)
Standards and norms do not define the real basics of Cyber Security
"Experts" said that the biggest problem are users
Not a problem
somewhere else?
Not a problem on author SW side?
Creating software is a exact discipline, in which is possible clearly describe everything
The programmer does not need to respect the laws of nature. Aircraft designer must
Bugs in software are caused by poor human work
How to change it ??
Basis for progress - Change is possible !!
The next step - You want really a change ??
Inspiration is in other fields - aerospace, automobiles
Security must be the basis of the system, not an add-on
Course of solving the problem
Checking the integrity of the programs and / or libraries
Control based on publicly known algorithms
The new Internet service that ensures comparing of control's parameters
The golden rule
The Three Laws of Cyber Security
Checksums of file on the user's device
=
Checksums of file issued by author SW
The golden rule in the picture
The Three Laws of Cyber Security
First step definition of rules
Law no. 1
Checksums must be always the same
Law no. 2 The network shall enable checksum verification
Law no. 3 The operating system has to verify the checksum
Another at http://rule.salamandr.cz
The Three Laws of Cyber Security
Second step a new service on the Internet
Three rules define a base. Implementation would be in the form of a new Internet service
Technically, it is a proven and workable solutions
It's time to change the basics of Cyber Security
Inspiration : Traceability of parts in aviation
Motto : Always exist a solution, this is the foundation of progress
Basis rule :
Checksums of file on the user's device= Checksums of file issued by
author SW
It's time to change the basics of Cyber Security
Jiri Napravniknapravnik.jiri@salamandr.czhttp://rule.salamandr.cz
See also : PYRAMID of Cyber Security